A company has 100 AWS accounts. They want to centralize all AWS CloudTrail logs into a single S3 bucket in a dedicated Log Archive account. The solution must ensure that member accounts cannot modify or delete the logs. What is the BEST approach?

Create a CloudTrail trail in each member account and configure cross-account delivery to the S3 bucket.

Create an Organization trail in the management account. Configure it to deliver logs to an S3 bucket in the Log Archive account.

Use AWS Config aggregator to collect CloudTrail logs centrally.

Deploy a Lambda function in each account to forward CloudWatch Logs to the central S3 bucket.